Cryptology ePrint Archive: Report 2009/480

On Cryptographic Protocols Employing Asymmetric Pairings -- The Role of $\Psi$ Revisited

Sanjit Chatterjee and Alfred Menezes

Abstract: Asymmetric pairings $e : \mathbb{G}_1 \times \mathbb{G}_2 \rightarrow \mathbb{G}_T$ for which an efficiently-computable isomorphism $\psi : \mathbb{G}_2 \rightarrow \mathbb{G}_1$ is known are called Type 2 pairings; if such an isomorphism $\psi$ is not known then $e$ is called a Type 3 pairing. Many cryptographic protocols in the asymmetric setting rely on the existence of $\psi$ for their security reduction while some use it in the protocol itself. For these reasons, it is believed that some of these protocols cannot be implemented with Type 3 pairings, while for some the security reductions either cannot be transformed to the Type 3 setting or else require a stronger complexity assumption. Contrary to these widely held beliefs, we argue that Type 2 pairings are merely inefficient implementations of Type 3 pairings, and appear to offer no benefit for protocols based on asymmetric pairings from the point of view of functionality, security, and performance.